Re: test - ignore

2022-01-27 Thread Benny Pedersen 

On 2022-01-27 08:42, Matus UHLAR - fantomas wrote:


however, this discussion should be probably closed as it's not anymore
related to this mailing list operatiorns.


i only replyed to isc ignore in first place to heads up on that thay 
break there own dkim signer, when maillists do this all will downstream 
break


note disabling dmarc does not fix dkim rejects

take care, we are on a maillist that still break dkim
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test - ignore

2022-01-26 Thread Matus UHLAR - fantomas 

On 26 Jan 2022, at 17.14, Matus UHLAR - fantomas  wrote:

Altering the body or headers at all (whch lists do) will often break the
hashing.  For this reason, most recent versions of mailman have an option
to rewrite your mail from:



On 26.01.22 17:30, Sten Carlsen wrote:

When the dkim is set up, you can select which parts of the header you want
to include in the signature.


this is not possible for body: modification of body (which this list does)
will always break DKIM signatures.

modifying list of headers to sign should be done carefully, to avoid
either breaking and faking.


I have selected a smaller part of the headers for my signature,  so does
this go through?


since domain s-carlsen.dk don't have dmarc policy, mailman does not care and
leaves dkim as is (broken) as described below.


...but only in the event you have a restrictive DMARC policy.



this explains why both your and Benny's mail did fail here, while Eduard's
did not - that one was signed by mailman because of his domains' restrictive
policy.


however, this discussion should be probably closed as it's not anymore
related to this mailing list operatiorns.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test - ignore

2022-01-26 Thread Sten Carlsen 

Thanks

Sten

> On 26 Jan 2022, at 17.14, Matus UHLAR - fantomas  wrote:
> 
>>> On Jan 25, 2022, at 8:50 AM, Benny Pedersen  wrote:
>>> Authentication-Results: lists.isc.org;
>>> dkim=fail reason="signature verification failed" (1024-bit key; 
>>> unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
>>> dkim=fail reason="signature verification failed" (1024-bit key; 
>>> unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
> 
> On 25.01.22 12:25, Dan Mahoney wrote:
>> The headers you cite are lying to you.  :) The message passed DKIM on the
>> way IN to lists.isc.org (the dedicated vm that runs our lists), but then,
>> when the message got to the mailman python scripts and then shot back out
>> via the MTA, they had an altered body and no longer passed, and the header
>> was rewritten to say "fail".  (This is visible from the logging on the
>> servers, but nowhere else).
> 
> there were multiple headers when that mail came here:
> 
> Authentication-Results: fantomas.fantomas.sk;
>   dkim=fail reason="signature verification failed" (1024-bit key; secure) 
> header.d=isc.org header.i=@isc.org header.b="q/vOEba5";
>   dkim=fail reason="signature verification failed" (1024-bit key; secure) 
> header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z";
>   dkim-atps=neutral
> Authentication-Results: lists.isc.org;
>   dkim=fail reason="signature verification failed" (1024-bit key; 
> unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
>   dkim=fail reason="signature verification failed" (1024-bit key; 
> unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
> 
> obviously when the mail came to list, DKIM was fine, not so after it left
> (thanks to list signature)
> 
>>> will my dkim fail aswell ?
> 
> it did...
> 
>> Altering the body or headers at all (whch lists do) will often break the
>> hashing.  For this reason, most recent versions of mailman have an option
>> to rewrite your mail from:

When the dkim is set up, you can select which parts of the header you want to 
include in the signature.

I have selected a smaller part of the headers for my signature,  so does this 
go through?

> 
> [...]
> 
>> ...but only in the event you have a restrictive DMARC policy. 
> 
> this explains why both your and Benny's mail did fail here, while Eduard's
> did not - that one was signed by mailman because of his domains' restrictive
> policy.
> 
> I missed this part before.
> 
>> I've argued that it should be possible to do so for *any* dmarc policy,
>> even p=none, but that option is not present in mailman 3, at least.
> 
> I agree.
> spam filter is something that can use dkim fail and should not be ignored.
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Support bacteria - they're the only culture some people have.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test - ignore

2022-01-26 Thread Matus UHLAR - fantomas 

On Jan 25, 2022, at 8:50 AM, Benny Pedersen  wrote:
Authentication-Results: lists.isc.org;
dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z


On 25.01.22 12:25, Dan Mahoney wrote:

The headers you cite are lying to you.  :) The message passed DKIM on the
way IN to lists.isc.org (the dedicated vm that runs our lists), but then,
when the message got to the mailman python scripts and then shot back out
via the MTA, they had an altered body and no longer passed, and the header
was rewritten to say "fail".  (This is visible from the logging on the
servers, but nowhere else).


there were multiple headers when that mail came here:

Authentication-Results: fantomas.fantomas.sk;
   dkim=fail reason="signature verification failed" (1024-bit key; secure) 
header.d=isc.org header.i=@isc.org header.b="q/vOEba5";
   dkim=fail reason="signature verification failed" (1024-bit key; secure) 
header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z";
   dkim-atps=neutral
Authentication-Results: lists.isc.org;
   dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
   dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z

obviously when the mail came to list, DKIM was fine, not so after it left
(thanks to list signature)


will my dkim fail aswell ?


it did...


Altering the body or headers at all (whch lists do) will often break the
hashing.  For this reason, most recent versions of mailman have an option
to rewrite your mail from:


[...]

...but only in the event you have a restrictive DMARC policy. 


this explains why both your and Benny's mail did fail here, while Eduard's
did not - that one was signed by mailman because of his domains' restrictive
policy.

I missed this part before.


I've argued that it should be possible to do so for *any* dmarc policy,
even p=none, but that option is not present in mailman 3, at least.


I agree.
spam filter is something that can use dkim fail and should not be ignored.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test - ignore

2022-01-25 Thread Dan Mahoney 


> On Jan 25, 2022, at 8:50 AM, Benny Pedersen  wrote:
> 
> On 2022-01-25 17:45, Greg Choules wrote:
>> Hello.
> 
> Authentication-Results: lists.isc.org;
>   dkim=fail reason="signature verification failed" (1024-bit key; 
> unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
>   dkim=fail reason="signature verification failed" (1024-bit key; 
> unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
> 
> dont know why it failed

I may as well answer this since other people chimed in on the test message.  
I'm Dan Mahoney, ISC's sysadmin who runs most of our mail systems, and, 
coincidentally, also do some work with the Trusted Domain Project on opendkim 
and opendmarc.

The headers you cite are lying to you.  :) The message passed DKIM on the way 
IN to lists.isc.org  (the dedicated vm that runs our 
lists), but then, when the message got to the mailman python scripts and then 
shot back out via the MTA, they had an altered body and no longer passed, and 
the header was rewritten to say "fail".  (This is visible from the logging on 
the servers, but nowhere else).

The solution here, is that lists.isc.org  should only be 
running in "signer" mode, and not verifying anything (we verify messages on our 
MXes, and make the decisions there to reject if dmarc says to do so).  The only 
things that lists.isc.org  will sign are things that it 
generates itself (i.e. things from the lists.isc.org  
domain).

> 
> will my dkim fail aswell ?

Re: DKIM failure, both SPF and DKIM is well known to be broken by mailing 
lists.  So if you're running a dmarc-enforced domain with a policy of P=reject, 
it's possible that mail you send via a list will be rejected.

Altering the body or headers at all (whch lists do) will often break the 
hashing.  For this reason, most recent versions of mailman have an option to 
rewrite your mail from:

From: "Benny Pedersen" http://example.com/>>

...to...

From: "Benny Pedersen via bind-users" http://lists.isc.org/>>
Reply-To: "Benny Pederson" http://example.com/>>
Cc: bind-users@lists.isc.org 

...but only in the event you have a restrictive DMARC policy.  I've argued that 
it should be possible to do so for *any* dmarc policy, even p=none, but that 
option is not present in mailman 3, at least.

Here at ISC, we have a little bit of a cheat -- messages *we* send to 
bind-users will pass SPF, because lists.isc.org  is in 
our SPF list.

The upcoming "better" solution for this is ARC: basically a way for 
lists.isc.org  to assert "This thing passed muster when 
it entered our borders, trust us".

-Dan Mahoney

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test - ignore

2022-01-25 Thread Eduard via bind-users 
Try using a larger key, at least 2048 bits.

Check all your DNS entries and make sure everything matches correctly, MX, A, 
reverse, etc.

Check to see if your hostname used in the HELO/ELHO process matches what is in 
DNS.

Regards,
 
Eduard Tieseler
Network Operations Director
4050 Truxel Road Suite A
Sacramento, CA 95834
Office  916-922-7584 ext. 288
Fax 916-922-1835
etiese...@metrolist.net
 
   

 
Please consider the environment before printing this e-mail
THE INFORMATION CONTAINED IN THIS ELECTRONIC MESSAGE IS CONFIDENTIAL. THE 
INFORMATION IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHOM IT 
IS ADDRESSED. IF YOU ARE NOT THE INTENDED RECIPIENT, ANY USE, DISSEMINATION, OR 
DISTRIBUTION OF THIS COMMUNICATION IS PROHIBITED. IF YOU HAVE RECEIVED THIS 
ELECTRONIC MESSAGE IN ERROR, PLEASE NOTIFY US IMMEDIATELY AND DELETE THE 
MESSAGE. ANY USE, MODIFICATION, OR REPUBLICATION OF THIS COMMUNICATION, 
INCLUDING ANY ATTACHED FILES, DOCUMENTS, DATA OR OTHER INFORMATION WHICH HAS 
NOT BEEN EXPRESSLY AUTHORIZED BY US IS PROHIBITED. WE SPECIFICALLY DISCLAIM 
RESPONSIBILITY FOR ANY UNAUTHORIZED USE OF THIS COMMUNICATION OR ANY 
ATTACHMENTS TO IT.

On 1/25/22, 8:51 AM, "bind-users on behalf of Benny Pedersen" 
 wrote:

On 2022-01-25 17:45, Greg Choules wrote:
> Hello.

Authentication-Results: lists.isc.org;
dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z

dont know why it failed

will my dkim fail aswell ?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test - ignore

2022-01-25 Thread Benny Pedersen 

On 2022-01-25 17:45, Greg Choules wrote:

Hello.


Authentication-Results: lists.isc.org;
	dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
	dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z


dont know why it failed

will my dkim fail aswell ?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Test mail to bind-users

2018-05-31 Thread Warren Kumari 
On Thu, May 31, 2018 at 3:48 AM Matus UHLAR - fantomas
 wrote:
>
> >On Wed, 30 May 2018, Michael McNally wrote:
> >>We have had reports that posts to bind-users are (in at least some
> >>cases) triggering unwelcome direct-to-the-submitter messages from
> >>spammers.
>
> it was about time ;-)
>
> On 31.05.18 08:28, G.W. Haywood via bind-users wrote:
> >I'm not sure that there's much that a list manager can do about it.
>
> they can find the abusers relay posts to spam senders and remove them.
>
> I have met similar case on IRC some 15-20 years ago. Spammer joined a
> channel, and relayed nicknames of those who joined (or left) so they got
> spam srom another nickname
>

... these has also been a (recent) issue where someone subscribed
their ticketing system to the list, and so every posting got a:
[ RT - #4217 ] AutoReply: Re: 

Thank you for opening a ticket. We will get to it soon.
Thanks,
   NOC.

W

> >This has been an issue for most of the lists to which I've subscribed
> >for decades.  My list addresses only accept mail from the lists to
> >which they're subscribed, and I'd imagine most other subscribers (at
> >least to the BIND list) would take similar precautions if necessary.
>
> not everyone can set up such configuration and not everyone of those who can
> is willing to play with it.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Remember half the people you know are below average.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Test mail to bind-users

2018-05-31 Thread Matus UHLAR - fantomas 

On Wed, 30 May 2018, Michael McNally wrote:

We have had reports that posts to bind-users are (in at least some
cases) triggering unwelcome direct-to-the-submitter messages from
spammers.


it was about time ;-)

On 31.05.18 08:28, G.W. Haywood via bind-users wrote:

I'm not sure that there's much that a list manager can do about it.


they can find the abusers relay posts to spam senders and remove them.

I have met similar case on IRC some 15-20 years ago. Spammer joined a
channel, and relayed nicknames of those who joined (or left) so they got
spam srom another nickname


This has been an issue for most of the lists to which I've subscribed
for decades.  My list addresses only accept mail from the lists to
which they're subscribed, and I'd imagine most other subscribers (at
least to the BIND list) would take similar precautions if necessary.


not everyone can set up such configuration and not everyone of those who can
is willing to play with it.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Test mail to bind-users

2018-05-31 Thread G.W. Haywood via bind-users 

Hi Michael,

On Wed, 30 May 2018, Michael McNally wrote:


We have had reports that posts to bind-users are (in at least some
cases) triggering unwelcome direct-to-the-submitter messages from
spammers.

Please disregard this message while I try to gather some information
in the hopes of stopping this unwelcome behavior.


I'm not sure that there's much that a list manager can do about it.

This has been an issue for most of the lists to which I've subscribed
for decades.  My list addresses only accept mail from the lists to
which they're subscribed, and I'd imagine most other subscribers (at
least to the BIND list) would take similar precautions if necessary.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Test, please ignore

2016-11-20 Thread Browne, Stuart 
I dunno, at this rate someone's going to have to owe someone a beer or 
something. :P

> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John 
> W. Blue
> Sent: Monday, 21 November 2016 5:24 PM
> To: bind-us...@isc.org
> Subject: Re: Test, please ignore
> 
> Ignoring level currently at 100% of its original rated performance, beginning
> to throttle up to 104% but doing so under computer control.
> 
> Sent from Nine
> 
> > From: John Anderson <jo...@ccbill.com>
> > Sent: Nov 20, 2016 11:43 PM
> > To: Dan Mahoney <dmaho...@isc.org>;bind-us...@isc.org
> > Subject: RE: Test, please ignore
> > 
> > Ignore successful.
> > 
> > John A.
> > 
> > 
> > 
> > Sent from my T-Mobile 4G LTE Device
> > 
> > 
> > >  Original message 
> > > From: Dan Mahoney <dmaho...@isc.org> 
> > > Date: 2016/11/20 21:38 (GMT-07:00) 
> > > To: bind-us...@isc.org 
> > > Subject: Test, please ignore 
> > > Sorry for the noise
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Test, please ignore

2016-11-20 Thread John W. Blue 
Ignoring level currently at 100% of its original rated performance, beginning 
to throttle up to 104% but doing so under computer control.

Sent from Nine<http://www.9folders.com/>

From: John Anderson <jo...@ccbill.com>
Sent: Nov 20, 2016 11:43 PM
To: Dan Mahoney <dmaho...@isc.org>;bind-us...@isc.org
Subject: RE: Test, please ignore

Ignore successful.

John A.



Sent from my T-Mobile 4G LTE Device


 Original message 
From: Dan Mahoney <dmaho...@isc.org>
Date: 2016/11/20 21:38 (GMT-07:00)
To: bind-us...@isc.org
Subject: Test, please ignore

Sorry for the noise
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Test, please ignore

2016-11-20 Thread John Anderson 
Ignore successful.

John A.



Sent from my T-Mobile 4G LTE Device


 Original message 
From: Dan Mahoney 
Date: 2016/11/20 21:38 (GMT-07:00)
To: bind-us...@isc.org
Subject: Test, please ignore

Sorry for the noise
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test bind before moving to production

2014-07-04 Thread Reindl Harald 


Am 04.07.2014 04:29, schrieb brian:
 I can't get this to work.  I'm trying to use the test url tst.com.  
 When I open it in my browser, I get a server not found error.
 
 In /etc/resolv.conf I changed nameserver 127.0.0.1

 I created the file /var/named/tst.com.zone and added:
 @   IN  NS  ns.example.com.
 ns  IN  A   127.0.0.1

there is no tst.com in that zone.file
there is just ns.tst.com pointing to 127.0.0.1




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test bind before moving to production

2014-07-04 Thread Matus UHLAR - fantomas 



Am 04.07.2014 04:29, schrieb brian:

I can't get this to work.  I'm trying to use the test url tst.com.
When I open it in my browser, I get a server not found error.

In /etc/resolv.conf I changed nameserver 127.0.0.1

I created the file /var/named/tst.com.zone and added:
@   IN  NS  ns.example.com.
ns  IN  A   127.0.0.1


On 04.07.14 11:36, Reindl Harald wrote:

there is no tst.com in that zone.file


actually, there is - the @ means the current origin (which is the zone name
from config file definition unless you override it).
But it only contains NS record, no A (or )


there is just ns.tst.com pointing to 127.0.0.1


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test bind before moving to production

2014-07-04 Thread Reindl Harald 

Am 04.07.2014 12:17, schrieb Matus UHLAR - fantomas:
 
 Am 04.07.2014 04:29, schrieb brian:
 I can't get this to work.  I'm trying to use the test url tst.com.
 When I open it in my browser, I get a server not found error.

 In /etc/resolv.conf I changed nameserver 127.0.0.1

 I created the file /var/named/tst.com.zone and added:
 @   IN  NS  ns.example.com.
 ns  IN  A   127.0.0.1
 
 On 04.07.14 11:36, Reindl Harald wrote:
 there is no tst.com in that zone.file
 
 actually, there is - the @ means the current origin 

tell me something new :-)

[root@ns2:~]$ ls named/zones/ | wc -l
521

 But it only contains NS record, no A (or )

and so there is no tst.com in that zone.file as i said

@  IN  A   127.0.0.1

would be the A record




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test bind before moving to production

2014-07-03 Thread Jeremy C. Reed 
On Thu, 3 Jul 2014, brian wrote:

 I'm new to bind. I want to be able to test the dns server on my local
 machine before launching it by putting the domain names (ie example.com) in
 my browser and browsing the site.
 
 
 Both the dev and production machines are CentOS. I assume I'll need to edit
 the host file to redirect to the local dns. But with this method I'm not
 sure how it will resolve multiple domains (i.e. example.com and
 example2.com).

The host file (/etc/hosts I assume) won't help. You can use 
/etc/resolv.conf and have nameserver line point to your localhost for 
testing.

Or use dig with the @ argument to set the address of the nameserver to 
use. For example, dig @127.0.0.1 www.example.com. Then also try that 
from outside systems to using the @ with the network interface's 
address.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test bind before moving to production

2014-07-03 Thread Sten Carlsen 


On 03/07/14 16:39, Jeremy C. Reed wrote:
 On Thu, 3 Jul 2014, brian wrote:
 
 I'm new to bind. I want to be able to test the dns server on my local
 machine before launching it by putting the domain names (ie example.com) in
 my browser and browsing the site.


 Both the dev and production machines are CentOS. I assume I'll need to edit
 the host file to redirect to the local dns. But with this method I'm not
 sure how it will resolve multiple domains (i.e. example.com and
 example2.com).
 
 The host file (/etc/hosts I assume) won't help. You can use 
 /etc/resolv.conf and have nameserver line point to your localhost for 
 testing.
 
 Or use dig with the @ argument to set the address of the nameserver to 
 use. For example, dig @127.0.0.1 www.example.com. Then also try that 
 from outside systems to using the @ with the network interface's 
 address.
And note that the name server will not be publicly used until it is
published through the whole DNS chain. That means there is no reason you
could not put everything in place even public facing servers - nobody
will use them until referenced properly.

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   MALE BOVINE MANURE!!!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: test bind before moving to production

2014-07-03 Thread brian 
I can't get this to work.  I'm trying to use the test url tst.com.  
When I open it in my browser, I get a server not found error.


In /etc/resolv.conf I changed
  nameserver 127.0.0.1
I set:
 chattr +i /etc/resolv.conf
and rebooted and opened the file to verify that it wasn't getting 
overwritten


In /etc/named.conf I added
zone tst.com {
type master;
file /var/named/tst.com.zone;
};

I created the file /var/named/tst.com.zone and added:
$TTL 86400
$TTL604800
@   IN  SOA ns.example.com. root.example.com. (
  1 ; Serial
 604800 ; Refresh
  86400 ; Retry
2419200 ; Expire
 604800 )   ; Negative Cache TTL
;
@   IN  NS  ns.example.com.
ns  IN  A   127.0.0.1

In /usr/local/apache/conf/httpd.conf I added:
VirtualHost *:80
  ServerName tst.com
  DocumentRoot /tmp/public_html_tst01

  Directory /tmp/public_html_tst01
   AllowOverride None
   Require all denied
   Options Indexes Includes FollowSymLinks
  /Directory

  ErrorLog /tmp/apache_logs/error.log
/VirtualHost

If I run:
named-checkconf /etc/named.conf
I don't get any output

If I run
named-checkzone tst.com /var/named/tst.com.zone
I get:
zone tst.com/IN: loaded serial 1
OK

I checked the apache error log and it is empty.

Brian
On 07/03/2014 10:39 AM, Jeremy C. Reed wrote:

On Thu, 3 Jul 2014, brian wrote:


I'm new to bind. I want to be able to test the dns server on my local
machine before launching it by putting the domain names (ie example.com) in
my browser and browsing the site.


Both the dev and production machines are CentOS. I assume I'll need to edit
the host file to redirect to the local dns. But with this method I'm not
sure how it will resolve multiple domains (i.e. example.com and
example2.com).

The host file (/etc/hosts I assume) won't help. You can use
/etc/resolv.conf and have nameserver line point to your localhost for
testing.

Or use dig with the @ argument to set the address of the nameserver to
use. For example, dig @127.0.0.1 www.example.com. Then also try that
from outside systems to using the @ with the network interface's
address.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Test DNSSEC validation

2012-04-18 Thread Jan-Piet Mens 
 What is the best way to log DNSSEC failures in Bind without enforcing
 DNSSEC validation?
 
 That is I want to see what Bind would have rejected because of failed
 DNSSEC validation, but I do not want to return SERVFAIL to my client.

I don't think that is possible without modifying the client(s) to query
with Checking Disabled. It sounds to me as though you're looking for a
add-cd-to-all-queries option on a validating BIND recursor; that
doesn't exist, as far as I know.

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Test

2012-03-18 Thread G.W. Haywood 

Hi there,

On Sun, 18 Mar 2012, Rob Leslie wrote:


As the owner of the address forged by the sender, I am particularly annoyed.


http://www.openspf.org/

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Test

2012-03-17 Thread Rob Leslie 
As the owner of the address forged by the sender, I am particularly annoyed.

-- 
Rob Leslie
r...@mars.org


On Mar 16, 2012, at 8:58 AM, Ian Manners wrote:

 I would NOT open the payload on this, just in case it gets through
 anyones filters etc (fished this one out of my ClamAV redirect directory)
 
 On Fri, 16 Mar 2012 23:30:08 +0800 r...@mars.org wrote:
 
 
 
 Cheers
 Ian Manners
 http://www.os2site.com/
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Test

2012-03-16 Thread Ian Manners 
I would NOT open the payload on this, just in case it gets through
anyones filters etc (fished this one out of my ClamAV redirect directory)

 On Fri, 16 Mar 2012 23:30:08 +0800 r...@mars.org wrote:



Cheers
Ian Manners
http://www.os2site.com/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users